Symantec: Identify safe software by reputation

Security firm is testing rating technology that can accurately categorize malware and legitimate programs based on user-guided "reputation", says India CTO.
Written by Lee Min Keong, Contributor

KUALA LUMPUR--Symantec will soon introduce a "reputation-based" software rating technology that it says can accurately categorize malicious malware from legitimate programs.

"Reputation-based security is the latest and greatest technology in malware detection," said Basant Rajan, CTO of the IT security vendor's India office. Essentially, this approach involves looking at where a program can be found across the database of Symantec users, categorizing the reputation of those machines and coming to a judgment on whether the application poses any security risks.

When seeking good food, we'll most likely go to the restaurant with the most customers. That's an example of a reputation-based choice in selecting a restaurant.

Basant Rajan, Symantec India

"When seeking good food, we'll most likely go to the restaurant with the most customers. That's an example of a reputation-based choice in selecting a restaurant," Basant said in an interview with ZDNet Asia, during his visit here at Symantec's Kuala Lumpur office.

"You just look at the behavior of people and make a decision based on that behavior. We can do the same with programs," he explained.

According to Basant, Symantec's reputation-based approach assumes three distinct populations in its user base, which numbers in the millions. "You have one population that is ultra safe, one that is adventurous and one that is completely unsafe," he said.

"We identify these by looking at the history of infections on their machines," said Basant, who plays a key role in driving innovation for Symantec's next-generation technologies, architecture and standards.

The safe group encompasses "prim and proper" users who only download applications from reputable software companies, he explained, while the adventurous group are users who are generally safe but are willing try out online games or new programs.

Users in the unsafe crowd are those who frequent a class of Web sites where they can get infected easily, he added.

For example, when a new program is detected, the reputation-based approach will entail looking at where the program is found among the machines of millions of Symantec users.

"If a large number of the 'safe' machines have it, making an educated guess is to say that this is a safe program," Basant said. "But, if you see this application only [installed] with the unsafe crowd and a few of the adventurous guys, it is almost certain that this is an unsafe program. You wouldn't lose money betting that this is an unsafe program."

The new technology, which is currently being tested, will complement Symantec's current approach to addressing problems with malicious codes. The traditional method involves a blacklist to identify highly prevalent malware, as well as a whitelist to identify popular and legitimate programs.

Asked when the new reputation-based technology will be introduced into its Norton security products, Basant said this "will happen when the product teams deem the market timing is right for it". He added that tests have been encouraging so far, as the false positives rate was extremely low.

The whitelist component was introduced into Norton's security products end-2007 to augment the traditional blacklist approach to detecting malware.

According to Basant, the genesis of introducing whitelists as a mainstream technology for malware control, came about when it became evident the number of malware introduced was more than that of legitimate programs.

Bad outpacing the good
In its Internet Security Threat Report Vol. XIII, covering a six-month period from June to December 2007, Symantec measured the release of both legitimate and malicious software and found that 65 percent of the 54,609 unique applications released to the public, were categorized as malicious. Basant said that marked the first time Symantec observed malicious software outpacing legitimate applications.

"This means if you make a list of all the good programs and bad programs, and the list of good programs is smaller, it becomes worthwhile to keep track of the good programs as opposed to keeping track of the bad ones," he explained. He noted that a key advantage of adopting the whitelist approach was that it enabled Symantec's security programs to run scans considerably faster.

Basant added that Symantec builds and maintains a whitelist of safe programs. While the obvious method is to list all programs from reputable publishers such Microsoft, Adobe and IBM, he noted that there are also lesser-known smaller players writing legitimate programs.

Symantec uses a "crowd sourcing" method to determine if applications from small software developers should be added to the whitelist.

"We can actually look at what seems to be running safely on a vast majority of machines on which that we have a footprint," Basant said. "We just look at the aggregate behavior of these programs over millions of machines, and deduce that these programs are safe and can, therefore, be added to the whitelist."

The Symantec executive acknowledged that the nature of today's security threats has changed radically, as organizations are now targeted individually. "So now, the malware that came to you probably only went to four other people in the world," he said. "How do you ever write a blacklist signature for it when only five people got it?"

To protect the targeted few, Basant said Symantec's security products leverage behavioral analysis technologies and, in the near future, will tap reputation-based security, which does not depend on a signature but behavior or prevalence, to determine whether a program is legitimate.

Lee Min Keong is a freelance IT writer based in Malaysia.

Editorial standards